The European Union (EU) adopted a new law in 2016 called the General Data Protection Regulation, or GDPR for short. It affects every company with customers residing in the EU. It comes into effect on May 25th 2018, which is just over a week away. But what does it mean, and should companies be worried?

What is the GDPR?

Firstly the GDPR addresses a number of key areas around the privacy of data for EU citizens, in relation to the storage, processing and handling of personal data. Personal data includes data that can identify an individual directly. This can include the following:

Name

Address

Contact Information

Date of Birth

Health Records

Photographs

Resumes

Driver’s Licence

Below is a very short and simple video introducing the GDPR legislation:

I’ve simplified and summarised the key points of the GDPR legislation below:​

The customer has to give consent to the processing and usage of personal data. This can affect businesses who record calls as a matter of practice.

​Each EU country will appoint an independent supervisor authority who will handle customer complaints relating to the storage and usage of their personal data.

Storing of personal data must be done in a way that does not automatically identify the data subject. This means techniques like encryption, tokenisation and masking need to be understood and how they can be applied to the data.

Companies have a maximum of 72 hours to declare that they have had a data breach.

Customers have the right to request erasure of their data. This means that businesses, including cloud providers, need to ensure they are using the appropriate security controls to remove that data. This can include using crypto-shredding, overwriting and encryption techniques.

Customers are also able to transfer their personal data from one system to another.

Automated decision-making, using techniques such as rules based scoring and artificial intelligence, is also under scrutiny. Customers have the right to question and fight such decisions.

The overall effect of the GDPR is to provide improved protection for EU citizens and to unify the laws across the EU. This puts onus on those businesses, including the cloud providers to ensure that data is processed fairly and in accordance with the law. There are a number of sanctions that can be enforced, depending on the nature of the breach:

Written warnings.

Periodic data protection audits.

Fines of up to €20m or 4% of revenue in the event of an infringement on the most significant provisions.

So what should companies do? Firstly they need to seek legal advice from an expert in European Union law to understand the potential impacts and next steps. Next steps are to perform an audit of their business processes and how they store data to understand their current state. Then they need to perform some analysis on the law, with their legal expert to interpret the law and create a series of overarching requirements. These requirements then need to be solidified into a series of solutions.

Here is a great example of how market-leading SaaS cloud provider Xero, are approacing their GDPR obligations in relation to their financial accounting package:

It’s very important to ensure that the IT, security, legal and operations departments are all working together closely to work through the issues and implement the solutions.

Want to know more about how you can secure your data and ensure you are following the latest best practices? Consider taking a Certified Cloud Security Professional certification, leading to an ISC2 examination. I’d be glad to coach you through your questions and help expand your knowledge of all things security.

Paul Colmer

Paul "Cloud" Colmer is a forward thinking digital business leader, with a passion for the practical application of disruptive technologies. As Lead Digital Architect at ALC Group he has oversight and responsibility for ALC's Digital Architecture and Cloud instruction and advisory services complemented by an array of recent cloud certifications from AWS, VMware, Microsoft and ISC2.

Other Links

ITIL®, PRINCE2®, PRINCE2 Agile®, MSP®, M_o_R®, P3O®, MoP®, MoV® are registered trademarks of AXELOS Limited, used under permission of AXELOS Limited. All rights reserved. The Swirl logo™ is a trade mark of AXELOS Limited, used under permission of AXELOS Limited. All rights reserved. COBIT®, CISM®, CISA® and CRISC® are registered trademarks of ISACA. The COBIT® 5 logo is a trademark of ISACA (Information Systems Audit and Control Association®). AgilePM® is a registered trademark of APMG. AgileBA® is a registered trademark of Dynamic Systems Development Method Ltd. The APMG-International Swirl AgileBA Device is a trade mark of APM Group Ltd. BRMP® is a registered trademark of Business Relationship Management Institute. The BRMP® Swirl Device logo is a trademark of Business Relationship Management Institute. SABSA® is a registered trademark of The SABSA Institute. TOGAF® and IT4IT® are registered trademarks of The Open Group. CISSP® and CCSP® are registered trademarks of (ISC)2, Inc. BABoK®, CCBA® and CBAP® are registered trademarks of IIBA®, the International Institute of Business Analysis™.